SPF, part 3: configuring Postfix to check SPF records when receiving mail

(for extra fun, read parts 1 and 2 first.)

Now that you know how to configure an SPF record for your domain(s), the natural next step, if you administer an email server, is to start checking SPF records for mails you receive.

Now, spammers are infamous for not respecting rules, not “playing nice”, so, you might ask, what makes me think they’ll set up SPF records for their domains, which would be kind of self-defeating? The obvious answer is that SPF doesn’t depend on the spammers’ collaboration. Since legitimate email senders use SPF to tell the world which servers they use to send email, it prevents others — such as the aforementioned spammers — from faking sender addresses to pretend they’re from those senders / domains.

To put it simply: if there’s an SPF record for the “gmail.com” domain, then you can — and should — reject mail purporting to be from something@gmail.com that doesn’t come from the servers listed in that record. In other words, anyone who fakes a @gmail.com address can’t fool your server, assuming you have it configured to use SPF.

Now, how to do that? There are many ways, of course, depending on the email server you use. The simple recipe below uses postfix-policyd-spf-perl to make Postfix reject mail from domains with properly configured SPF records, when the mail comes from an unauthorized server (that is, one not listed on the record.) This assumes you already have Postfix up and running.

  • install postfix-policyd-spf-perl. In Ubuntu, just do an apt-get install postfix-policyd-spf-perl .
  • add this line to /etc/postfix/main.cf:
    spf-policyd_time_limit = 3600s
  • add the following to /etc/postfix/master.cf:
    policy-spf  unix  -       n       n       -       -       spawn
         user=nobody argv=/usr/bin/policyd-spf

    (change the path of policyd-spf if it’s installed somewhere else; that’s where the Ubuntu package puts it.)

  • in /etc/postfix/main.cf, find the smtpd_recipient_restrictions section, and, immediately after permit_mynetworks (and permit_sasl_authenticated, if you’re using that), add:
    check_policy_service unix:private/policy-spf
  • restart Postfix. Check your logs to see if everything is working properly.

Now, remember when in part 2 I mentioned a lesser-known reason for configuring the SPF record for your domain? It’s this: it’ll stop a lot of incoming spam. These days, a lot of spam email pretends to be from you (that is, it uses your email address as both the “From:” and “To:”), or at least from your domain (e.g. administrator@yourdomain, manager@yourdomain, and so on.) I don’t know why spammers do that, but apparently it works, or else they wouldn’t do it (maybe victims get confused and think the email comes from someone in their company, or maybe webmail services tend — or at least did so once — to trust the user’s own address, I don’t know.) Well, if you have SPF for your domain and your email server checks SPF records for incoming mail, then spam messages such as these will be always rejected, even when other methods of stopping spam (RBL lists, SpamAssassin, etc.) fail. Never again will you receive emails pretending to be from your own address.

Tags: , , ,

15 Responses to “SPF, part 3: configuring Postfix to check SPF records when receiving mail”

  1. Freedom Mentor

    SPF, part 3: configuring Postfix to check SPF records when receiving mail

  2. speed up mac says:

    Over the life of our computers we could log thousands and
    thousands of hours of use and everything that we do
    on it can potentially be stored onto the computer itself.
    Hundreds of thousands of useless files and cache files can clog up the works and make your computer run very slow and sluggishly which
    can be super frustrating to anyone who just wants to get something done.

    Well there is a powerful new product on the
    market which will make light work of all of these files and many other things including unused language and broken file extensions and throw them all away for good which
    will make your computer truly run as fast as it can again. This product is called Detox my Mac and what
    it does is really get down to the heart of the slowing issue which really is
    just use itself. No matter what you do or where you go you will eventually run into this problem.
    So instead of stressing about how it takes forever to do anything on your
    computer how about being proactive and really taking care of it?
    You can do that with Detox my Mac. It’s an instant download program after
    you pay their very low one time fee you will be able to truly have the most
    powerful product on your computer for the life of it.

    It will allow you go through all the files on your Mac
    computer and it will with a sort of intuition and get rid of
    everything that doesn’t belong and it will also trash anything that is slowing the computer down and it just takes a few
    moments of time and then it’s over and you can see for yourself how much faster your computer is running how much faster
    you can upload or download something. It’s a singular one time fee which really
    does mean one time and once you pay for it you can actually get lots of extras to go along with it like free
    support 24 hours a day 7 days a week. People who are friendly and knowledgeable and
    who will walk you through a very easy step by step process to get your computer working at it’s best.
    No matter who you are or where you go on the internet you are sure to really enjoy this
    program because it keeps your computer healthy
    and clean and working the best that it can. A computer is one of
    those things we use all the time but sometimes neglect factoring in that they also like our
    houses or our bodies need a good cleaning and so this program does just that
    cleaning the inside of the computer and giving it a boost so that you can really just go back to enjoying
    what you do online without the frustration or having
    to buy a very expensive upgrade for your Mac computer.

    Instead you can try out this program for 60 days and
    if within those days you do not like what it does for your computer than you can get all of
    your money back which means that you can trust that what you are getting is
    really what you are going to get and you will
    really enjoy having your computer faster and better performing.
    Your computer will work better which means that you save
    time and money and you can really get the most out of your computer and the time you
    spend there. You will truly enjoy this program and what
    have you got to lose except for the slow speeds.

  3. Imperial Advance

    SPF, part 3: configuring Postfix to check SPF records when receiving mail

  4. Luigi Wewege says:

    Luigi Wewege

    SPF, part 3: configuring Postfix to check SPF records when receiving mail

  5. Foundation for Defense of Democracies

    SPF, part 3: configuring Postfix to check SPF records when receiving mail

  6. sp=show-clips

    SPF, part 3: configuring Postfix to check SPF records when receiving mail

  7. Freddom Mentor reviews

    SPF, part 3: configuring Postfix to check SPF records when receiving mail

  8. fruitcake says:

    Wonderful goods from you, man. I have understand your stuff previous to
    and you are just extremely wonderful. I really like what
    you’ve acquired here, really like what you
    are stating and the way in which you say it. You make it entertaining and you still take care of to keep it
    smart. I cant wait to read far more from you. This is
    actually a great site.

  9. Slap On Tracker

    SPF, part 3: configuring Postfix to check SPF records when receiving mail

  10. automobile says:

    automobile

    SPF, part 3: configuring Postfix to check SPF records when receiving mail

  11. Since then, Swellnomore is the only thing I use and my problem is gone.
    There is nothing quite like capturing a great moment in time with a beautiful
    photo. Rare prescriptions will most likely have to be ordered from the manufacturer and this can add day
    onto the shipping time frame.

  12. Firoz Patel says:

    Firoz Patel

    SPF, part 3: configuring Postfix to check SPF records when receiving mail

  13. What happens fifteen years or more after the fifteen minutes of fame fades.

    All you do is scan or draw an outline of your deployment area (walls,
    doors, etc. This new system covers all automated article marketing
    solutions and the system is completely automated.

  14. Les says:

    Exceptional post but I was wanting to know if you could write a litte
    more on this topic? I’d be very thankful if you could elaborate a little
    bit further. Kudos!

  15. As far as information is concerned, it was launched precisely six
    years after the inception of tv broadcasting.

Leave a Reply